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1. Highly nonlinear functions in the Abelian group setting 

The study of nonlinear properties of Boolean functions is one of the major tasks 
in secret-key cryptography. But the adjective "nonlinear" has several meanings: it 
can be related to the resistance against the famous differential attack [2] and, in 
this interpretation, actually refers to (almost) perfect nonlinear functions. Moreover 
nonlinearity is also related to the maximum magnitude of the Fourier spectrum of 
Boolean functions - under the names "bent", "almost bent" or "maximal nonlinear" 
functions - which is itself linked to the resistance against the linear attack [17] . These 
two ways to define nonlinearity are not independent and even, in many situations, 
are exactly the same. 

Most of the studies and results on nonlinearity concerns Boolean functions, or in 
other words, functions from K to N where K and N are both elementary Abelian 
2-groups. Even if this kind of groups seems to be very natural for cryptographic 
purpose, there is no rule that prevent us to use more complex groups and even non- 
Abelian ones. In this paper, we will discuss the standard notion of nonlinearity in 
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2 Laurent Poinsot, Alexander Pott 

the non-Abelian setting. Nevertheless we begin by some definitions and basic tools 
used to study nonhnearity in the Abehan case. In order to keep the paper fairly 
selfcontained some proofs of well-known results will be added. 

Let K and N be two finite groups written multiplicatively of orders m and n 
respectively. Let G be the direct product K x N. A mapping f : K N is called 
perfect nonlinear (see [18]) if and only if for each a £ K , a Ik and each b £ N, 
the quantity 

5f{a,b) = \{geK\f{ag){f{9))-'^b}\ (1) 

is constant equals to ^. In [10| the reader may find a very complete survey on 
the subject. In the cases where n does not divide m, it is impossible for perfect 
nonlinear functions to exist. We note that perfect nonlinear functions also cannot 
exist if K and N are elementary Abelian 2-groups of the same order. Actually, a 
more general result holds: 

Theorem 1. Let K he an arbitrary group of order m = 2°, and let N be an Abelian 
group of order n = 2^ . A perfect nonlinear function f : K ^ N does not exist, if 

1. a is odd; 

2. a — 2s is even and b > s + 1. 

For proof, we refer to |12l 161 iS] . Since perfect nonlinear functions do not exist 
in many cases, the following definition is meaningful: we call f : K ^ N an almost 
perfect nonlinear (APN) function (see [TO]) if and only if 

E Sfia,bf< S,ia,bf yg : K ^ N . (2) 

(a,b)£G ia,b)£G 

Both these definitions do not use the commutativity in a group. Hence these defi- 
nitions also apply to the non-Abelian situation. 

With each function f : K ^ N we associate its graph Df C G: 

Df = {{g,f{g))\geK}. (3) 

This set plays an important role in the study of nonlinear properties of the corre- 
sponding function. For instance / is perfect nonlinear if and only if its graph is a 
splitting (m, n,m, ^) difference set in G relative to the normal subgroup N. Recall 
that a set i? C G = A' X of cardinality fc is a (splitting) (m, n, k, A) difference set 
in G relative to N if and only if the following property holds: the list of nonidentity 
quotients r(r')~^ with r,r' G R covers every element in G\{1k} x JV precisely A 
times and no element in {1^} x (A^\ {Iat}) is covered. The term splitting refers to 
the fact that the group in which the relative difference set exists is AT x A^, hence 
it "splits", where one of the factors is the "forbidden subgroup". We note that also 
non-splitting relative difference sets are studied, however for applications in cryp- 
tography only mappings f : K ^ N seem to be of interest, and then the graph 
corresponds to a splitting relative difference sets. Moreover, we have k = m in this 
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Non-Boolean Almost Perfect Nonlinear Functions on Non-Abelian Groups 3 

situation, and this case is called semi-regular. There are also many relative differ- 
ence sets known where k ^ m. For a survey on relative difference sets, we refer to 

m- 

In general such combinatorial structures are studied using the notion of group 
algebras. Let G be a finite group (written multiplicatively) and R a commutative 
ring with a unit. We denote by R[G] the group algebra of G; its underlying R- 
module is free and has a basis indexed by the elements of G and which is identified 
to G itself: so it is a free i?-module of rank |G| and, as such, isomorphic to the direct 
sum Rg where for each g G Rg = R. 
g&G 

Every element D of R[G] can be uniquely represented as 

Z? = ^ dgg, with dg e R . (4) 

gee 

The addition in R[G] is given as a component-wise addition of R. More precisely 




Em =E(«9 + ^9)5 (5) 

while the multiplication - convolutional product - is 

H «95 XI ^9-9 = H "-hbh-ig \ g . (6) 

vseG / \geG J geG \heG / 

Finally the scalar multiplication by elements of R is the usual one 

^[Y.'^ag] =Y.(^'^9)9, ^iti^^^R- (7) 

\g€G J g€G 

Any subset Z? of G is naturally identified with the following element of R[G] 

see geD 
where we define the indicator function of D 

When R -- 

I \ 

where z is the complex conjugate of z e C. 

For instance for a function f : K ^ N and G = K x N, we have 

DfDy'^= E Sfia,b)ia,b)€Z[G]. (11) 

(a,b)eG 
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4 Laurent Poinsot, Alexander Pott 

As we claimed above, {m,,n,k, X) difference sets in G = K x N relative to N 
have a natural interpretation in Z[G] because R C G is such a set if and only if it 
satisfies the following group ring equation: 

= fclG + A(G - iV) . (12) 

Therefore, we have the following well known theorem which holds in the Abelian as 
well as in the non- Abelian case: 

Theorem 2. A function f : K ^ N is perfect nonlinear if and only if the graph 
Df of f is a splitting {m,n,m, ^) difference set relative to {Ik} x N. 

Another important tool for the study of highly nonlinear mappings - but re- 
stricted to the case of finite Abelian groups - is the notion of group characters. 
A character x of a finite Abelian group is a group homomorphism from G to the 
multiplicative group C* of C. The elements xig) belong to the unit circle of C. 

The set of all such characters of a given Abelian group G, when equipped with 
the point-wise multiplication of mappings, is itself a group (called the dual group, 
denoted by G), isomorphic to G. The character xo : G G i— >■ 1 is called the 
principal character of G. The characters of a direct product K x N are given by 
X = Xk Xn where (a, &) € A' x A'^ is mapped to XK{o-)XN{t') G C, and where 
Xk is a character of K and xn a character of N. The characters of G can be 
naturally extended by linearity to homomorphisms of algebras from C[G] to C: if 
D ~ ^ dgg e C[G] and x is a character of G, then 
geG 

x{D) = '^sxig) ■ (13) 

There is an important formula for characters of Abelian groups which also holds 
for non- Abelian groups, see Theorem [H 

Theorem 3 (Inversion formula) Let G be an Abelian group, and let D = 
Til geG '^gd '^^ element in C[G]. Then 

rf.- I^E^(^)•x(^?"')■ 
Corollary 4 (Parseval's equation) Let G be an Abelian group. For D = 

Tgeo'^aS ™ C[G], we have 

Proof. This follows easily from the inversion formula applied to the coefficient of 
the identity element in D ■ D^^. □ 
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Using these characters we can introduce another criterion of nonhnearity: a func- 
tion f : K ^ N (where K and N are both finite and Abehan) is called mELximum 
nonlinear if and only if 



max \x(Dj)\ < max \x{D,)\ ^g:K^N (14) 



or, equivalently 



max \x{Df)\ = min max \x{Dg)\ . (15) 



The value -^/l/^l is a lower bound for the quantity max |x(^/)| which follows 

XNt^Xo 

easily from Parseval's relation for Abelian groups (Corollary |4]) . A function that 
reaches this theoretically best bound is called bent. A function is bent if and only 
if it is perfect nonlinear as defined above.. This follows easily by applying characters 
to the group ring equation (fT2|) . see also [10| 21j . 

Finally, characters allow us to give another characterization for APN functions: 



Theorem 5. Let K and N be two finite Abelian groups. A function f : K ^ N is 
almost perfect nonlinear if and only if 

E ix(^/)r < E "ig'-K^N . (16) 

X X 

Proof, [sketch) As before, let G = K x N. Consider the coefficient of the identity 
element in (DgDg "'^^)^: this is precisely X](a f))eG '^s('^' ^)^" Therefore, minimizing 
T.{a,b)eG equivalent to minimizing J^^ \x{Dg)\^. □ 

Remark 6. (1) If all character values x{Df) with XN 7^ Xo the same, then an 
almost perfect nonlinear function is actually perfect nonlinear. 

(2) Theorem\^ is well known for the elementary Abelian case (see and also 

known for the Abelian case \21\ . It is one of the purposes of this paper to show 
that one can even extend it to the non-Abelian case. 

In some particular cases, we know a lower bound for the sum of the fourth-power 
of the absolute value of x{Df). Indeed when K and N are two elementary Abelian 
2-groups of order m, then it can be shown that for each f : K N, 

2m3(m-l)< J2 MDfT (17) 

X5^Xo 

and since xo{Df) = \Df\ = \K\ = m, we have 

m'i3m^2)<Y,\x{Dft ■ (18) 

X 

It is very important to note that these arguments only work in the elementary 
Abelian case: the proofs rely on the fact that the Sf{a, b) are always even in charac- 
teristic 2. We refer the reader to the original paper [11]. see also |10| 21j . Together 
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6 Laurent Poinsot, Alexander Pott 

with Corollary [H inequality (|17p yields yet another lower bound for the quantity 
max |x(^/)l ill tl^^ elementary Abelian case: 

XN^XO 

Theorem 7 Let f : K N where K and N are elementary Abelian 2- 

groups of order to = 2". Then 

max \x{Df)\ > V2m . (19) 
Moreover when n is odd, a function f : K N is maximal nonlinear if and only if 



max \x{Df)\ = v2to . (20) 

In this case, the function is almost perfect nonlinear and the lower bound given in 
inequality I118\) is reached. 



Contrary to the odd case, when n is even obviously the previous lower bound 
mot be re 

instance [9]) 



cannot be reached. The lowest possible value of max [^(i^/)! satisfies (see, for 

Xn/Xo 



V2m < min max \xiD f)\ < 2\/rn . (21) 

f:K^N XN^Xo 

Moreover, the lowest known value corresponds to the upper bound. 

Example 8. (1) The classical example of an almost perfect nonlinear function f : 
Fj" — >■ F2" is f{x) = x^ , where the group is identified with the additive group 
of the finite field . This function is also maximum nonlinear if n is odd. In 
the n even case, it is a function where the largest nontrivial character value is 
2t~, hence the upper bound in i21\) is reached, see 0, for instance. 

(2) Similarly, the classical example of a perfect nonlinear mapping is x^ defined on 
Fpn, p odd (this is folklore). 

We note that recently many new perfect and almost perfect nonlinear functions 
have been discovered. It seems that the ideas to construct perfect and almost per- 
fect nonlinear functions are somewhat similar, therefore the discovery of new almost 
perfect nonlinear functions did influence the investigation of perfect nonlinear func- 
tions which are of great interest in finite geometry. For the characteristic 2 case, 
we refer to [9] and the references cited there, in particular |4| 5| 6| 13| 14j : for the 
perfect nonlinear case see |1| 71 8| 23] . for instance. 

The purpose of this paper is to develop these ideas - almost perfect nonlinearity 
and maximum nonlinear functions - in a larger context than the classical elementary 
Abelian 2-groups, namely the case of finite non- Abelian groups. For this objective 
we introduce the appropriate notion of "non- Abelian characters" in the following 
section. 
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Non-Boolean Almost Perfect Nonlinear Functions on Non-Abelian Groups 7 

2. Basics on group representations 

The reader may find the definitions and results listed below (and lot more) in the 
book [22] , 

A (linear) representation of a finite group G is a pair (p, V) where is a 
finite-dimensional C-vector space and p is a group honiomorphism from G to the 
linear group GL(y). In practice the group homomorphism p is often identified with 
the representation (p, V) and we may sometimes use the notation Vp to refer to 
the second component of {p, V) . The dimension of the representation (p, V) is 
defined as the dimension of the vector space V over the complex field and denoted 
by dim p. Two representations (pi, Vi) and (p2, V2) of the same group G are said to 
be equivalent if there exists a vector space isomorphism T : Vi — > V2 such that for 
each g G G, 

Top^{g)^p^{g)oT . (22) 

Two equivalent representations may be identified without danger. Continuing with 
definitions, a representation (p, V) is irreducible if the only subvector spaces W 
of V so that {p{g)){W) C W for every g £ G are the null-space and V itself. The 
dual G of a finite group G is the set of all equivalence classes of irreducible repre- 
sentations of G. When G is an Abelian group, G is dual group of G, as introduced 
earlier. In particular a finite group is Abelian if and only if all its irreducible rep- 
resentations are one-dimensional. Let [G, G] be the derived subgroup of G, i.e., the 
subgroup generated by the elements of the form ghg^^h^^ for {g,h) E G^. It is 
a normal subgroup and the quotient-group G/[G, G] is Abelian. One-dimensional 
representations of G are related to this derived group since their total number is 
equal to the order of G/[G, G]. The cardinality |G| of the dual of G is equal to 
the number of conjugacy classes of G. The (equivalence class of the) representation 
{po, C) that maps each element of G to the identity map of C is called the principal 
representation of G. For practical purpose we identify the value paig) as the number 
1 rather than the identity mapping of C or, in other terms, we identify po{g) and 
its trace tr{po{g)) = 1. 

We can also construct some linear representations from existing ones. For in- 
stance, given the dual sets of two finite groups K and N , one can build up the dual 
^ X TV of their direct product. This construction uses the notion of tensor prod- 
uct of two vector spaces. So let Vi and V2 be two complex vector spaces. We call 
tensor product of Vi and V2 a vector space W equipped with a bilinear mapping 
j : V1XV2 ^ W such that the following property holds. For each C-vector space V3 
and for each bilinear mapping / : Vi x V2 — > V3 there exists one and only one linear 
mapping f : W V3 such that foj = /. It can be shown that there is one and only 
one such vector space W (up to isomorphism) . It is denoted by Vi ® V2 . Moreover if 
{el}^)k is a basis of Vi and (e^^')^ is a basis of V2, then the family {j{e\^\ £f^)){k,e) 
is a basis of W. This property shows that 



dimiVi ® V2) = dim(yi) dimCl/a) 



(23) 
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8 Laurent Poinsot, Alexander Pott 

In particular for every vector space V ^ we have V®<C — 'C®V = V (equality up 
to isomorphism). For (wi,U2) G Vi x V2, we denote j(vi,V2) by vi ® V2- Since j 
(and therefore ®) is a bilinear mapping we have {avi + Pwi) ® V2 — olvi ® V2 -\- 
/3wi <Si V2 and the corresponding equality holds for the second variable. So now let 
pi : K GLiVi) and p2 ■ N ^ GL{V2) be two representations. Then we define a 
representation pi® p2 oi K y. N in Vi ® V2 by 

{pi® P2){k,n) = pi{k)® p2{n) with {k,n) £ K x N . (24) 

Moreover, one can show that if pi and p2 are both irreducible then pi ® p2 is an irre- 
ducible representation oi K x N. And reciprocally, every irreducible representation 
of K X N is equivalent to a representation of the form pi ® p2, where pi (resp. P2) 
is an irreducible representation of K (resp. TV). Given an irreducible representation 
p oi K X N, we use pK and pjv to denote the representations of K and N such 
that p is equivalent to pK (E) pn- system of representatives of equivalence classes 
of irreducible representations oi K x N is given by this way. Actually, the classes 
of representations of a given group G may be used to form a ring: just take the 
free Abelian group generated by all isomorphism classes of representations of G, 
mod out by the subgroup generated by elements of the form pi + p2 — {pi ® P2), 
where pi © p2 is the obvious direct sum of two (classes of) representations. It can 
be proved that the irreducible representations form a basis for this Z-module. The 
ring structure, called the representation ring of G, is then given simply by tensor 
product pi® p2 : 3 <= G ^ pi{g) ® P2{g) <= GL{Vi (8) V2), defined on these generators 
and extended by linearity. 

Note that every irreducible representation is equivalent to a unitary represen- 
tation i.e. a representation p such that p(g^^) = p(.9)*, where the star denotes the 
usual adjoint operation. Indeed, let p : G — > GLiV) be a representation of a finite 
group G, where V is an Hermitian space (together with a scalar product (•, •)) and 
let us consider the following Hermitian product: {x, y)p = {p{g){x), p{g){y)). It is 

g&G 

easy to prove that for every x,y G V and every g £ G, {p{g){x), p{g){,y))p = (a;, y) p 
in such a way that p{(j) is unitary with respect to (■, ■)p for each g £ G. Therefore, 
in what follows we assume that G is actually a complete set of representatives of 
non-isomorphic irreducible representations, all of them being unitary. 

We naturally extend a representation {p, V) by linearity to an algebra homo- 
morphism from C[G] to End{V), the linear endomorphisms of V, by 

p{D) = ^9P{9) , (25) 
see 

with D — dgg. As a particular case one can prove the following relations: 



(26) 
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for every p & G, and 

= (27) 

peg 

For D e C[G] we may define its Fourier transform aa D ^ p{D)p, which can 

pGG 

be identified with {p[D)) G End{Vp). Then the Fourier transform is the 

pSG 

mapping 

J" : C[G] ^ 

peg (28) 
D ^ D . 

Note tliat in the case where G is a finite Abelian group, then every irreducible 
representation is one-dimensional and End{C) is isomorphic to C. Therefore for 
D e C[G], we have 5 g C ~ C[G]. 

peg 

The coefficients p{D) of the Fourier transform D of D are used in the sequel to 
study nonlinear properties of functions f : K ^ N in the general case where both 
K and N are finite groups, not necessarily commutative. 



3. Almost perfect nonlinearity 

In this section, we develop a Fourier characterization of APN functions in the non- 
Abelian setting, using group representations. We also introduce the relevant notion 
of bentness in this context and we show that, contrary to the classical case, this is 
not equivalent to perfect nonlinearity in this general framework. 

Let G be a finite group. The following theorem is well known; we include a proof 
to keep the paper more self-contained. 

Theorem 9 (Fourier inversion, Parseval's equation) Let D = dgg be an 

geG 

element in the group algebra C[G]. Then the following holds: 

dg = J—- dim/? tr{p{D) o p{g^^)) {Fourier inversion) (29) 
|G| ^ 

|dg|^ = j-^ dimp ||p(D)||^ {Parseval's equation) (30) 



where \\f\\ is the trace norm of a linear endomorphism f given by \\f\\ = 
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Proof. We have 



peG 

tr I dhh) o o(a-^) I 

(31) 



= (i/i dim /9 tr{p{hg ^)) (by linearity of the trace and p) 

= IGldg (according to eq. ((77)1 ). 

This proves the Fourier inversion formula. 
We have 

DD^-^'> = E ( E d/> J 5 . (32) 

geG \heG ) 

In particular the coefficient of the identity 1g in this formal sum is Mg|^- We 

see 

can also compute this coefficient by using the Fourier inversion on IS 
given by 

I^Xdimptr(p(Z?i?(-i))) 
" IGI E ° P(^)*)) (since p is unitary) ^33^ 

P6G 

= pEdinip||p(i?)f . 

pGG 

We may assume that G is a set of unitary representatives of irreducible representa- 
tions. Therefore Parseval's equation holds. □ 

Using group representations we obtain an alternative formulation for almost 
perfect nonlinearity. Note that the definition of almost perfect nonlinearity given in 
eq. ([2]) holds for the Abelian as well as non-Abelian situation. 

Theorem 10. Let K and N he two finite groups. Let G be the direct product K x N . 
A function f : K ^ N is almost perfect nonlinear if and only if 

^dimp \\piDf)\\^ < ^dimp \\piDg)\\\ ^g-.K^N . (34) 

peG peG 

Proof. We have DfO^^^ = ^ Sf{a,b)ia,b). So using Parseval's equation we 

{a,b)eG 
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Non-Boolean Almost Perfect Nonlinear Functions on Non-Abelian Groups 11 

obtain: 

(a,6)eG ' ' ped 

= pEd™p||p(^/)°p(i?/)lP (35) 

pGG 

Because a function f : K ^ N is APN if and only if for every g : K ^ N, 

E Sf{a,b)'< E S<^i^^bf, (36) 

(a,h)eG (a,h)eG 

this concludes the proof. □ 

Group representations can be used to find another criterion for the nonlinearity 
of functions. As before, K and N are both finite groups of order m and n, and 
f : K ^ N. For some p E K x N, the values of p{Df) are known: 

P(D ) = I if P = PO , .g^S 

\ Oy if p = pif (g) po and (pk, V) is nonprincipal on K . 
Indeed first let us suppose that p is principal on G. Then we have 
Po{Df)^ E '^Df{a,b)po{a,b) 

(a,fc)eG 

= E '^Df{a,b) 

(a,&)eG (38) 

= 1^/1 
= \K\ 



Now let us suppose that p — pK ® po with {pK-,V) nonprincipal on K. Then we 
have 

p{Df)^ E '^Df{a,b)PK{a)® po{b) 

= E PKio)® PoUio)) 

= E PKia) (since V (E) C = V) 

= Pk{K) 

= Oy (according to eq. (pS)) ').. 

Parseval's equation and an analogy with the Abelian case, suggest us to say that 
a function f : K ^ N is called maximum nonlinear if and only if the value 
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^J AircL p\\p{D f)\\ is as small as possible, or in other terms (using the known values 
oip{Df)) 



max v^dim p \\p{Df)\\ < max ^dim p \\p{Dg)\\ : K N . (40) 

Pn^Po Pn¥=Po 

As in the Abelian case, we obtain the following lower bound for this quantity: 
Theorem 11. Let f : K ^ N . Then 

max dim« \\p(Df)\\^ > . (41) 

p„5^Po ^ '"^^ - \K\{\N\-1) 

Proof. By Parseval's equation applied to Df, we have 

-L\2dimp\\piDj)r^ J2 lD,(a,6)2 

pl^ (a^r.G (42) 

= m . 

So we have 

^dimp|lp(D/)f = |G|m = m2n. (43) 

peS 

We know some values of p{Df) that allow us to compute the following sum: 
dimp||p(I?/)j|2 = ^dimp||p(i?/)|P_ ^ dimp ||p(I?/)||2 

PN#PO peg PN=pa 

= m"n- dimpo Hpo(%)|p^ - ^ dimp ||p(Z?y)||2 

' Pn=Po, P=^Pq (44) 

^ , ' 

=0 

(according to eq. (|43p and eq. ([37|) 
= m^(n — 1) . 

Now we need to evaluate the number of principal representations on N: it is equal to 
\K\. Then there are IGj — |-fir| nonprincipal representations on N . But \G\ = |A'||-/V|. 
Therefore we have 

max dimp ||p(D;)f > ■ (45) 

Piv/po |A|(|A^|-1) 

□ 

The proof also shows that 

max dimp ||p(Z?/)!p = ^ ^ p^ ^ p^, \\p{D =V ^ (46) 

p«#po |A|(|A^|-1) 

where 

m2(n-l) 



dimp|/-i:|(|iV| - 1) 
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In the Abelian case, the righthand side of this equivalence turns out to be the 
definition of bent functions since dim p — 1, \K\ — m and |A^| = n. It is well known 
that classical bentness is equivalent to perfect nonlinearity, as we stated before. 
Now if we take the righthand side of equivalence (|46|) as a natural definition for 
bentness in the non-Abelian case, we can prove this notion to be nonequivalent 
to perfect nonlinearity in many situations. Let us suppose that / : A" — > is both 
perfect nonlinear and bent. Since / is perfect nonlinear its graph Df, as an element 
of Z[G'], satisfies the famous group ring equation (|12|) for relative (m,n, m, ^). 
difference sets So for (p, V) G G, we have 

piDfD^f'^) = midv + A(p(G) - p{N)) , (47) 

where Idv denotes the identity mapping of V . Now let us suppose that p^ ^ pQ. 
So we have p{G) = Oy and p{N) = pk{1k) ® Pn{N) = Oy according to eq. ([26|) . 
Then in this case we obtain: 

p{DfD\-^'^) = p{Df) o p{Df)* = mIdv . (48) 

By using the trace on both sides of the last equality above, we have for pn ^ Po 

\\p{Df)\\'^ ^mdiiTYp. (49) 

But since / is bent, combining eq. and the righthand side of equivalence pS)) . 

m{n - 1) = (dimp)2|A'|(|iV| - 1) . (50) 

This equality may hold if and only if dim p is the same for every p € G such that 
Pn 7^ Po (we exclude the trivial case where |A^| = 1); this is for instance the case 
if both K and N are Abelian. We can show that in the case where at least one of 
AT or A^ is non-Abelian and distinct of its derived group@ (for instance it is a non 
sovable group), and A^, when Abelian, is not reduced to the trivial group, then the 
previous equality cannot hold and therefore perfect nonlinearity and bentness - as 
introduced by analogy - are nonequivalent and even paradoxical in this non-Abelian 
setting: 

1. First let us suppose that A^ is a non-Abelian group such that A^ ^ [N, N] (this is 
the case of non solvable groups). By assumption A^ has at least one irreducible 
representation of dimension d > 1 (it is ipso facto a nonprincipal representation), 
call it pj^^ . Since the number of one-dimensional representations of A^ is exactly 
I N/ [N, N] I , there is also at least one such representation which is nonprincipal 
(for if \N/[N,N] \ = 1 then A^ = [A^, A^]). CaU pj^' one of them.. Now let pK be 
any d'-dimensional irreducible representation of AT, then pK (X" p^^ (for i = 1, 2) 
are both irreducible nonequivalent representations oi G = K x N which are non 
principal on A^. We have dimpx (8) pj^^ = d'd > dimp^ <8) pj^"* — d' . 



^If for a nonabelian group H, H ^ [H, H] then H is not a simple group. 
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2. Secondly, let us suppose that K \s a, non-Abelian group such that K ^ [K, K] 
and, if N is non-Abelian then ^ [N, N] and if A^ is Abelian then it is not 
reduced to the trivial group, i.e., \N\ > 1. According to case 1., we already know 
that K has at least one nonprincipal one-dimensional representation, call it , 

(2) 

and at least one irreducible representation of dimension d > 1, call it p]^ . If 
A^ is Abelian, since it is not the trivial group, it has at least one nonprincipal 
(one-dimensional) representation. According to 1., this is also the case if A^ is 
non-Abelian and A^ ^ [A^, A^]; call pjv this representation. Then p"^ ® Pn (for 
i = 1, 2) are both irreducible nonequivalent representations oi G = K y. N which 
are nonprincipal on A^. We have dimp^^ (g) pjy = 1 < dimp^^ ® pisi — d. 



4. Some computational results and open questions 

In this section we present some results given by formal computations using GAP 
[T5] and MAGMA [5]. There are three goals: 

• Almost perfect nonlinearity, see Theorem 1101 Minimize 

J2dimp\\piDf)\\* 

ped 

for functions f : K ^ N, where G — K x N. 

• Maximal nonlinearity, see eq. ()40|1 : Minimize the maximum of 



\\piDf)\\ 

for aU f : K ^ N. 

Bentness, see eq. (^5)1 : Find functions f : K N such that 

m^(n — 1) 



Vpjv^Po, \\p{Df)\\ 



dimpli^KlA^I - 1) 

We note that besides the bounds given in this paper, no general results for arbitrary 
groups are known. Here we do not want to give extensive computational results but 
we want to indicate some interesting phenomena which occur in the non-Abelian 
setting. Note that for groups K and A^, we have to go through all mappings K N, 
whose number is |A^|I^^I. Hence the approach to find "good" functions by a complete 
search is very limited, and it would be interesting to find theoretical constructions 
which are provable maximal nonlinear or almost perfect nonlinear. 

Let us begin with the two goups of order 6, the cyclic group Zg and the symmetric 
group 53. In Table 1, we list the "best" values (marked in boldface) both for the 
maximum nonlinearity as well as almost perfect nonlinearity. 

It is remarkable that the measure of almost perfect nonlinearity is by far the least 
in the case {K,N) = (S^^'^e) and not in the Abelian case. Moreover, if {K,N) ~ 
(iS3,Zg) each almost perfect nonlinear functions is also maximal nonlinear. This 
situation fails to be true in all the other cases where no almost perfect nonlinear 
function is also maximal nonlinear. 
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Table 1. Non-Abelian groups K, N of order 6, f : K N 



K 


N 


min dim p|jp(Dg)|^ 


min max ^dim p||p(-D9)|| 


S3 




2376 


4 




S3 


3972 


4^2 


53 


S3 


3552 


2VT4: 






2808 


2V3 



We also made a complete search for the case of abelian groups of order 8 (Table 

2). 









Table 2. Abelian 


groups K, N of order 8 


f -.K^ N 




K 




N 


min VIpCDs)!* 
peG 


max \p{Dg)\ 

g:K^N p\ff^pa 




Zg 




Zg 


8832 


VlO + 4V^ 




Zg 




Z4 X Z2 


8576 


4 




Zg 




Z2 X Z2 X Z2 


9216 


4 


Z4 


X 


Z2 


Zs 


8960 


4 


Z4 


X 


Z2 


Z4 X Z2 


9216 


4 


Z4 


X 


Z2 


Z2 X Z2 X Z2 


10240 


4 


Z2 X 


Z2 


X 2 


^2 Z8 


9216 


4 


Z2 X 


Z2 


X 2 


^2 Z4 X Z2 


10240 


4 


Z2 X 


Z2 


X 2 


^2 Z2 X Z2 X Z2 


11264 


4 



The case = = Zg is of interest: Here the maximum character value is 
strictly smaller than 4, hence there is a function which is "better" than in the 
elementary- Abelian case0. In contrast to the other cases, this "smallest" maximum 
is not reached for the functions which minimize the sum of the fourth powers of the 
character values (which is 8960). 

We also searched for bent functions from to a group N such that 1 < |iV| < 5. 
Note that, in contrast to the Abelian case, the existence question for bent functions 
K ^ N is, also meaningful if \N\ is not a divisor of \K\. The results that we 
obtained are as follows: First of all, there is no bent functions if G {Z2,Z4,Z2 x 
Z2,Z5}. But there is (at least) one bent function f : S3 ^ Z3. Indeed we can 
check that the map / defined by f{id) = /((I, 2)) = /((2,3)) = /((I, 3)) = and 
/((I, 2, 3)) = /((I, 3, 2)) = 1 is bent, that is to say that y/dimp\\p{D f)\\ = 2^3 
for all /ojZa 7^ pQ. The group 1S3 has two one-dimensional representations and one 
two-dimensional representation, and Z3 has three one-dimensional representations 
therefore |g |(^^ ^-^^ = 12. We have ydim p\\p{Df)\\ = 2\/3 for each representation 



''An example of the graph of such a function is {(0, 0), (1, 5), (2, 7), (3, 7), (4, 7), (5, 4), (6, 5), (7, 4)} 
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p G S3 X I13 which is nonprincipal on Z3 . Due to the fact that ^3 has a representation 
of dimension greater than 1, / is not perfect nonUnear (see the discussion at the 
end of the previous section) . 

Finally, we would like to raise some questions. Regarding these questions, both 
computational results as well as infinite families are, of course, welcome. 

(1) Regarding the caracterisation of APN functions by mean of the sum 

dim /9 ||p(_Dj)||^ given in Theorem IIOI it should be interesting to find some 

functions / : A' — > for which this sum reaches some value which is better 
than the one in the classical case of elementary Abelian groups. 

(2) Find functions f : K ^ N such that dimp||p(D/)f = for all p 
nonprincipal on N i.e. non- Abelian bent functions). 

(3) Find functions f : K ^ N with \K\ |A^| = 2" = to {n even so that there 
are no almost bent functions) such that max dim/3||p(Z?/)|p < 4to, that is to 

say functions which are better than the known maximum nonlinear functions 
in the elementary- Abelian case. 

(4) Find functions f : K ^ N with |A'| = |Ar| = 2" = to (n odd, so that there 
are almost bent functions) such that max dim/9j|(0(D/)||^ < 2m, that is to say 

functions which are better than classical almost bent functions. Note that we 
found such an example for a mapping / : Zg — >■ Zg. 
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